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[57J ABSTRACT 

The authentication and security mechanism in a first pro- 
gram is used to access an af^lication program which 
requires a diflfereni type of authentication and passwoid. A 
server program runs in the same madiine as the ai^iication 
program. The server program communicates with the first 
program and it is accessed and it authenticates the user 
utilizing the security and authentication mechanism of the 
first program. After Che user ID of a user who desires access 
to the second (urogram has been authenticated using the 
authentication mechanism oi the first program, the server 
program (a) generates a temporary password for the authen- 
ticated user I.D., (b) changes the password for the authen- 
ticated user ID to the temporary password, (c) accesses the 
second program using the authenticated ID and &e tempo- 
rary password, and (d) receives data and/or commands from 
the first program using the security mechanism from the first 
program and transmits this data and/or commands to die 
second program and (e) receives data and/or commands 
from the second program and transmits the data and/or 
commands to the user using the security mechanism of the 
first program. 

7 Claims, 4 Drawing Sheets 
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MIDDLEWARE PROGRAM WITH which is oonoected to a network 212. The DCE network 212 

ENHANCED SECURITY is in turn connected to a number of DCE compliant aj^- 

FiFi n np Twp TMViTKrrrnM "^^^^ ^^^^ ^ ^ compliant apfdi- 

FIELD OF THE INVENTION nation 215E Non DCE conq)liant plication 21SE may for 
The present Invention relates to conqiuter netwoiks and 5 example be an Oracle data base. The DCE network provides 
more particularly to integrating a system which use an a number of facilities including log-on security, data 
individualized security protocol into a nctwoiic diat uses a encryption, single sign on (SSO) access to nctwwk 

distributed network security protocol. applications, and centralized directoy services. Users only 

« ^«r^n^*rv ncedtologinoncc. with one password in order to access the 

BACKGROUND OF THE INVENTION network and various DCE con^>Uant appUcaUons 215A to 

A new type of software generally termed ••middleware" 215B which arc connected to the network. Since the DCE 

mediates between the large variety <^ hardware and software network uses a Kerbcros authentication system, with re^ct 

found in large heterogeneous computer networks. For to applications 215A to 215D, users are securely authenti- 

cxaiiq)lc, in a large hetcipgencous network, a single appli- passwwds are never sent across the network, 

cation program, such as a hilling program, may utilize (i.e. . Oac shortcoming of a DCE network is that for the DCE 

call upon) software modules supplied by a dozen different security features to work properly, all of the applications on 

suppliers, whose products may or may not be compatible networic must conform to the requirements of the DCE 

with each oftcr. Middleware fwograms coordinates (ie. give technology. If, for exanq)le, a network includes an applica- 

hannony to) the individual components in a heterogeneous fo^^^^ "ses a proprietary log-on and password system, 

networic For a genial discussion of middleware see fiu./. ^ such as an Oracle or a Sybase 

N^r^ t }^ ^"^^ ^^^'^ ^^^""^ ''^ Ts^^d^;^^^'!^ 

iNumoerz^, jun. 3, lyys DCE practice, where a n^ori: is used to connect to a non 

Among the problems that must be addressed by imddle- compliant application, (that is, to an q>plication which 

ware pro-ams arc "authentication*' of users and "data uses a proprietary sign-on and password system) fee log-on 

protection" for transmitted data. IVaditionaily authentication 25 and the password must be sent across the network. Thus in 

in computer systems is provided by the use of passwords and order for user 210 to access non DCE application 215E. the 

sign-on I.D.'s. TraditionaUy data protection is provided by user 219 must send a sign-on LD. and a password aaoss fee 

encryption. A large network may include a large number of network 212 where feey may be interc^>ted or con^>ro- 

different application programs each of which requires a mised. 

separate passwwd and a sq>arate sign-on ID. FIG. 1 illus- 30 SUMMARY OF THE INVENTION 

trates a typical prior art network. As shown in FIG. 1. a user ^ ... 

10 has a connection to a local coii4>utcr 11 which is in turn , ^ P^«^^^ mvenUon provides a mefeod and ^arattis 

connected to a networic 12. The network in turn is connected ^""^ "^tegratmg a P^o^^ng system which uses a special 

to a number of systems which contain appUcation programs 5^^^ ^S^? ^"^^ T ^ "-^"^^ * 

icA.m^ J- * distnbuted network sccunty protocol. The present invention 

ISA to 15E. The user can access and sign on to each of fee ^, ^ *? • • 

^ Iff A * c u f *!. I- *; * " utihzes the aufeentication and secunty mechanism in a first 

^hcauons ISA to ISA. Each of fee apphcations ISA to ^ ^ i.- 1. * 

JJL , 3r . ^ program to access a second program which requires a 

^swTl ' * diStypcof.uthenticationa^tKl^ord.n«uLrdoes 

™, . ... t ,. , not have access to or even know the ID and password 

It IS not uncommoQ fora single user to have a list of ten ^^ ^^.^ ^ ^^^^ Hj 

or even twenty sign^n ID's and pass>yords lhat the user « password used to access the second program (a) is never 

n^st enter into the system at different times. Posting a hst ^^^^^ „„, of u,e computer whexe the second program 

of sign-on ro s and passv^ near a tenmnal is a temble ^^^^^ only exits in memory associated with the 

secunty risk; however, it frequenUy happens. ^.^^^ invention for a very short time thereby providing 

A group of companies including Hitachi. Hewlett seauity from intercrotion. 

Packard, Digital Eqi#mem IBM founded « The present invention provides a server program which 

'"u°?T^*'°?""'J?"?^^^°!?*'"^^"'^T?^ « «he n>»«Wne wl>«c the application to be 

which devdoped a technology and architeaure called DCE ^he server program coimnunicates with 

(Distributed Computer Envuonment). DCE aUows interop- ^ic first program and it is accessed and it auflienticatcs die 

eiability in a networkltetween heterogeneous platforms and „^ ^ authentication mechanism of 

opeiatmg systems. DCE estabhshes a standard cooperative 50 fl,e first program. After a user who desires acass lo the 

oompjmng architecture that connects dissumlar computed .^^^ ^ ^ ^een authenticated using the authenU- 

and that shares applicauons. u>fwnialion. and computing ^^^^ n«Aanism of the first program, the server program 

resources across a network DCE provides programimng (,) generates a temporary password for the authenticated 

soviccs whidi support die development of applications changes the passwonl for the authenticated 

without rcgardto the underiyii^ complexity of the comput- 55 user ID to the temporary password, (c) accesses the second 

mg network. DCT includes a Secuntyscrvice. a Directory authenticated ID and the temporary 

s«vicc. Remote ftoccdure caUs. ete. The secunQr service id password, and (d) receives data and/or commands from the 

DCE mclud« what 1$ caUed Keiteros authentication (see ^^^^ ^ mechanism from the first 

u'",^^"' iT""- ^'"',^'"^0"' program and transmiu this dau and/or commands to the 

Networks^ Commumcations Magazine. v32. n9^ Sep- « second program and (e) receives data and/or commands 

tembex 1994. p 33-38 andSec-nry/l/r/u/eciu^/or^^nfr. ^^e second program and transmits the data and/or 

^''5^<JE**^^*''°™."°*''°"?'- "ir-" • " commands to the user using the security mechanism of the 

1994. p 492-500). The DCE secunty service allows a user fyg^ proeraia 

to utilize a single ID and password to access a number of program- 

different application programs in a network. 65 BRIEF DESCRIFTION OF THE FIGURES 

FIG. 2 illustrates a network which uses a DCB compliant FIG. 1 is a diagram of a prior art network where the user 

protocol a user 210 has a coimection to a local system 211 must sign on the each ai^Ucation program. 
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FIG* 2 is a block diagram of a prior ait DEC network. 

FIG. 3 is a block diagram of a system which incorporates 
the present invention. 

FIG. 4 Is a block diagram of the server prograuL 

FIG. 5 is a flow diagram showing ttie operation of the 
invention. 

DETAILED DESCRIPTION OF A PREFERRED 
EMBODIMENT 

A block diagram of a system which incorporates a pre- 
ferred embodiment of the present invention is shown in FIG. 
3. As shown in FIG. 3, user 310 has a connection to a local 
computer 311 which is connected to DCE compliant net- 
wcrk 312. The DCE con[q>liant network 312 conforms to die 
standards published by ttie Open Software Foundation for 
"Distributed Conq)Uting Environment" (DCE) networks. 
Nrtwork 312 includes the DCE data sharing services and 
more particularly the DCE security services, DCE central- 
ized directory services, and DCE remote procedure calls. 
Several such networic operating systems are commercially 
available. For Example IBM Coip markets such a network 
operating system under the name **SNA**, Digital Equ^raent 
Corp. markets such a network operating system under the 
name **Pathworks**, and Novell Corp markets such a net- 
work operating system under the name **Netware**. Network 
312 is connected to a number of implications 315A to 315D 
each of which includes a DCE compliant AFT (AR)lication 
Programming Interface). Since these applications arc DCE 
compliant they can therefore utilize the DCE Kerberos 
authentication mechanism and hence relative to these pli- 
cations no log-on names and passwords ever pass through 
the network whae they can be compromised. 

Application 352 does not have a DCE con^liant APL 
Application 352 may for exanq)le be a commercially avail- 
able database ja-ogram of the type marketed by Oracle 
Corporation of Redwood Shores, Calif, or a database pro- 
gram of the type marketed by Sybase Corpc^ation of 
Emeryville, CaHf . Such data base programs are respectively 
referred to as Oracle or Sysbase databases and they are 
widely used. In order to access or use application 352, a user 
must supply an ID and a password that conform to ID's and 
passwords previously established in the program 352 by 
what is generally termed a **privileged** sign-on. A privi- 
leged sign-on has its own ID and password. When a privi- 
leged sign-on accesses the program 352, the jsivileged 
sign-on has the power or authority to establish new IDs 
which can access the program 352 and it also has the power 
or authority to establish or change the password or other IDs. 
For exanqple application 352 recognizes a **aiange Pass- 
word" conmiand. However, aj^lication 352 will not execute 
this conmmnd if it is issued by a regular sign-on. Such a 
commaiKl will only be executed by a{^lication 352 if the 
command is issued by a privileged sign-orL 

If an application program such as application program 
352 is directly connected to a DCE compliant network, as is 
the application 215E shown in FIG. 2, the authentication and 
security fffocedurcs of the DCE network can not be used to 
access program 352. If program 352 were directly connected 
to a DCE compliant network, as is application 215E shown 
in FIG. 2. the program would have to be accessed by sending 
a sq>arate sign-on ID and a sq>arate password over the 
network. The reasons for this is that application programs 
such programs 215E and 352 (which may for example be 
commercially available Oracle or Sybase data base 
programs) include their own proprietary authentication and 
security procedures. Such program do not conform to the 
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DCE interface spedficati(Mis. Thus when programs such as 
program 215E are directly connected to a network, a user 
who wants to log on to these i^ograms must send a sign-oo 
ID and a password over the network to the programs. There 

3 are at least two disadvantages to sudi a procedure. First, it 
presents, security risk and second it Is inconvenient 

With applicant's invention a program or server 351 is 
positioned between the DCE cconpliant network 312 and the 
non DCE compliant ^^ilication 352. 

The server 351 physically resides in the same machine 
350 as does the application 352. Thus conmmnications 
between the server 351 and the application 352 never leave 
the confines of a single piece of hardware. As shown in FIG. 
4, the server 351 includes. (1) a DCE con^liant interface 

IS ^i^cfa translates calls transmiaed by DCE network 312 
to calls in die language utilized by application 35Z (2) a 
thread or sutnoutine 402 which has coded therein a jHivi- 
leged sign-on to the application 352. (3) a tiiread or sub- 
routine 403 which signs on to the ^jplication 352 as a 

^ normal user, and subroutine 404 which handles conununi- 
cation to and from DCE interface 401 and application 352. 

As shown in FIG. 4, application 352 includes an appli- 
cation speciiic authentication mechanism 352A. which con- 
trols access to the main ai^hcation program 352B. Com- 

^ mo'cial programs such as Oracle data base programs have 
such application specific authentication mechanisms. 

For ease of reference, the privileged sign-on will be herein 
referred to as sign-on "Y" and the normal user sign-on will 
be referred to as sign-on **X^. In fact the sign-ons X and Y 
would have normal multidigit IDs as required by specifica- 
tions of application 3SZ The nature erf the privilege pos- 
sessed by sign-on Y is ttiat user Y can change die password 
of sign-on X. 

35 The systems operates as shown in FIG. 5. When user 310 
attempts to access the application 352, using ID X, the 
request is transferred to system 350 using the nwmal DCE 
Kerberos security (as shown by block 501). The server 351 
\^ch is in system 350 authenticates the ID X using the 
normal DCE Kffberos security procedures (block 502). 
These procedures are such that neither a password ncH* a user 
ID is transmitted over the network where it could be 
intercq>ted. The procedures and mechanism by which this is 
acconqjiishcd are described in the published literature (for 

45 example see the previously referenced technical paper). 
Next as indicated by block 503. subroutine 402 signs on 
to the application 352 as user Y using a password that is 
securely stored in subroutine 402 (which is stored in com- 
puter 350). Subroutine 402 also generates a new temporary 

50 password using a random procedure (block 504). When user 
Y is signed on to the application 352, user Y changes the 
password for a user X to the temporary password that was 
created (block 505). User Y then signs off from the appli- 
cation 352 (block 506). Next sul^outine 403 signs-on to 

55 application 352 as user X using the newly created password 
(block Sit). The new password is then erased as indicated 
by block 511. 

Once user X is signed on to application 352, corrunands 
and data are exchanged between user 310 and server 351 

60 through DCE netWOTk 312 using the normal DCE security 
procedures (block 512). Server 351 translates and exchanges 
commands and data with the interface 404 in a non secure 
manner; however, this is not a security risk since these 
transmissions are inside a single madiine 350. 

65 The normal user ID has heretofore be referred to as user 
X. If for example user 310 is identified by user ID "JOESS** 
when servers 351 in machine 350 receives a request to 
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access data base 352 from usa "J0ES3'*, the server 351 
would authenticate that the request in fact came from user 
310 using the normal DCE Kobcros authentication proce- 
dure. The privileged sign-on would change the password in 
data base 352 for aset ID "JOE53"(block SOS) and then sign 
on to the data base 352 using the user ID "JOE53*' and the 
new temporary password. Subsequent commands and 
requests from user 310 identified by ID "JOE53'' would be 
passed to the data base 352 and data and other information 
from data base 352 directed to user '*JOE53*' would be sent 
over the network to user 310 who is identiiied as user 
^'JOESS'*. Thus with the embodiment of the invention shown 
herein the mapping from the ID of user 310 to (he ID of (he 
user sign-on for application 352 is a one to one mapping. It 
is noted that other more conq>lex mapping could also be 
used. 

The specific embodiment of the invention shown herein is 
a system that includes a network that uses a DCE security 
system and an application 352 which does not support the 
DCE security convention. It is noted that the invention could 
also be used with any first program having a first security 
protocol and any second program having a di£ferent securi^ 
protocol 

It is also noted that the term subroutine refers to a series 
of computer instructions which performs a particular task. 
This term subroutine is synonymous with the terms 
^thread", '^jwogranmiing module** and "server^. While there 
are differences in nuance between these terms, as used 
herein each of these terms refers to a scries of programming 
instructions which perform a particular function. 

While the invention has been shown and described with 
respect to a preferred embodiment thereof, it should be 
understood that various changes in forma and detail may be 
made without departing from the spirit and scope of the 
invention. 

We claim: 

1. A distributed computer system including. 

a network q)eratittg program that includes a distributed 
network security protocol 

an application program that includes a second security 
protocol a first sign-on ID and a second sign-on ID. 
said second sign-on ID having an associated password, 
said first sign-on ID being a privileged ID which can 
change said password of said second sign-on ID. and 

a server connected to a network using said distributed 
network security protocol said server including means 



10 



for signing on to said plication program using said 
second secinity protocol and said fint ID and for 
changing the password of said second ID to a tenqK>- 
rary password, means for signing on to said application 
program using said second security protocol, said sec- 
ond ID and said tempmry password, and means for 
passing data between said server and said network 
using said network security protocol 

2. The system recited in claim 1 wherein said network 
operating program conforms to the specification for a DCE 
(Distributed Computer Environment) progrant 

3. The system recited in daim 1 wherein said distributed 
network security protocol is a Kerberos protocol 

4. The system recited in claim 1 including an application 
computer, said application program and said server both 
being located in said application ooixq>utcr. 

5. In a distributed computer system that includes a net- 
work operating program that includes a distributed network 

^ security protocol and an application program that includes 
a second security protocol, said application program includ- 
ing a first sign-on ID and a second sign-on ID. said second 
sign-on ID having an associated password, said first sign-on 
ID being a privileged ID which can diange the password of 

2^ said second sign-on ID. 

the improvement conc^nising; 

a server connected to a network using said distributed 
network security protocol said server Including means 
for signing on to said ^^lication program using said 

30 second security protocol and said first ID and for 
changing the password of said second ID to a tempo- 
rary password, means for signing on to said a^lication 
program using said second security protocol said sec- 
ond ID and said temporary password, and means for 

3S passing data between said server and said network 
using said network security protocol 
whereby data passes firom said network to said server 
using said distributed network protocol and b^een 
said server and said q>plication program using said 

^ second security protocol 

6. The system recited in claim 5 wherein said network 
operating program conforms to the specification for a DCE 
(Distributed Con^>uter Environment) program. 

7. The system recited in daim 5 wherein said distributed 
♦5 network security protocol is a Kerberos protocol 
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